Global Espionage and Intelligence: Cybersecurity Implications for Bangladesh

When the State Is the Hacker

On a quiet February weekend in 2016, operatives believed to be working on behalf of the North Korean government accessed Bangladesh Bank's network and sent 35 fraudulent instructions through the SWIFT international payments system. They were attempting to steal $951 million from Bangladesh's central bank account held at the Federal Reserve Bank of New York. Most of the transfers were blocked. But $81 million vanished into casino accounts in the Philippines — laundered so efficiently that nearly a decade later, significant portions remain unrecovered.

That single operation — meticulous, state-sponsored, and deeply humiliating for a country that had done nothing to provoke it — announced Bangladesh's arrival in the most dangerous arena of 21st-century geopolitics: the battlefield of cyber espionage. What the heist demonstrated, above all else, was that no country is too small, too poor, or too peripheral to be targeted. The question for Bangladesh now is whether it has learned that lesson thoroughly enough.

The Architecture of Modern Espionage

State-sponsored cyber operations have become the preferred instrument of strategic competition among major powers. They are cheaper than conventional military action, offer plausible deniability, and can achieve objectives — financial theft, intelligence collection, infrastructure disruption, political manipulation — that would require considerable military assets by traditional means. The United States, China, Russia, Israel, Iran, India, North Korea, and a growing roster of other nations maintain dedicated offensive cyber units. Some of these units operate under military command; others function through proxy groups, private contractors, or criminal networks given operational latitude in exchange for intelligence sharing.

The International Institute for Strategic Studies notes in its 2025 Strategic Survey that cyber espionage campaigns often reflect state interests in gaining leverage in diplomatic negotiations or monitoring regional alliances. This framing is important because it shifts the analysis from crime to statecraft. The Bangladesh Bank heist was not a bank robbery in any conventional sense. Some security companies, including Symantec Corp and BAE Systems, claimed that the North Korea-based Lazarus Group, one of the world's most active state-sponsored hacking collectives, were probably behind the attack, citing similarities between the methods used in the Bangladesh heist and those in other cases. The operation was geopolitical, not criminal, even if its proceeds went toward financing weapons programs rather than funding armies in the field.

The Bangladesh Bank Heist: Anatomy of a State Attack

The mechanics of the 2016 heist remain instructive. The attack was meticulously calculated, beginning a year before the eventual release of such large funds. Emails containing malware were sent to employees of Bangladesh Bank — seemingly harmless files which, when opened, released malware onto the user's computer, allowing attackers to gain access to the wider systems. This initial phase — the long, patient reconnaissance — is characteristic of state-level operations. Criminal hackers tend to move fast and loudly. Nation-state actors embed themselves quietly and wait.

Once inside, the hackers initiated a series of unauthorized money transfers using the SWIFT system, manipulating it to issue fraudulent payment orders, effectively siphoning off $81 million from Bangladesh Bank's accounts. The operation only failed to achieve its full $951 million target due to a spelling error: the hackers misspelled "foundation" as "fandation" in a transfer instruction, triggering a manual review by Deutsche Bank that halted the remaining transfers. A typographical mistake saved Bangladesh hundreds of millions of dollars.

According to investigators, the perpetrators' familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on its workers, and the FBI reported that agents found evidence pointing to at least one bank employee acting as an accomplice. The presence of an insider speaks to a dimension of cyber espionage that technical defences alone cannot address: human vulnerability. Social engineering, coercion, and ideological recruitment remain essential components of state intelligence operations, and digital intrusions almost always involve some element of human exploitation alongside technical compromise.

The DoNot APT and Bangladesh's Diplomatic Exposure

The Bangladesh Bank heist was not an isolated event. In 2025, analysts documented that a cyber espionage group known as DoNot APT — attributed by multiple researchers to India — had targeted European diplomatic institutions using lures that specifically referenced defense attaché visits to Bangladesh. The lure referencing a defense attaché visit to Bangladesh suggests the attackers exploited Italy's diplomatic engagements in the region, possibly to access communications related to EU-South Asia relations or Italy's role in multilateral forums.

The implication is significant. Bangladesh need not be the primary target of a cyber espionage operation to become a vector or a focal point. The country's growing diplomatic profile — its relationships with India, China, the United States, and the European Union — makes it a useful lens through which state intelligence agencies view regional dynamics. When major powers spy on each other's diplomats, they often do so by exploiting shared engagements with third countries. Bangladesh's diplomatic positions, trade relationships, and security partnerships are all data points in intelligence assessments that Dhaka has little visibility into.

Bangladesh's Digital Expansion and the Attack Surface It Creates

The scale of Bangladesh's digital transformation makes the cybersecurity challenge more urgent with each passing year. With over 126 million internet users, the country is a key player in the global digital economy. By one estimate, the country has faced over 63 million cyberattacks in a single year, revealing a pressing need to fortify its digital defenses.

The Bangladesh Cybersecurity Market is expected to reach USD 218.15 million in 2025 and grow at a CAGR of 15.20% to reach USD 444.53 million by 2030. That growth reflects the seriousness with which both government and private sector are approaching the threat — but it also reflects just how large the exposure has become. Every new digital banking user, every e-commerce transaction, every government database brought online represents both an economic gain and a potential intelligence vulnerability.

Recent incidents underscore the point. In January 2025, City Bank PLC reported a breach that exposed client financial statements, underscoring deficiencies in session management and multi-factor authentication. In March 2025, Bangladesh Cyber Security Intelligence revealed insider data theft by officials who accessed the National Intelligent Platform. Two separate incidents — one in the financial sector, one inside government — within the same quarter of the same year. The pattern is not one of external penetration alone; it includes the same insider-threat dynamic that characterised the 2016 central bank operation.

The Legal Framework: Progress and Its Limits

Bangladesh's legislative response to the cyber threat has been both active and contested. The country introduced the Digital Security Act in 2018, which was broadly criticised for its vague language and its use against journalists and political dissidents. A successor law, the Cyber Security Act 2023, attracted similar criticism. The interim government that took power following the political upheaval of 2024 repealed the CSA and introduced the Cyber Security Ordinance 2025, which outlines provisions related to the formation of a National Cyber Security Agency, regulatory measures for critical information infrastructures, and protocols for addressing cyber incidents, including emergency responses and digital forensics, with stringent penalties for violations including unauthorized access, hacking, and cyberterrorism.

But human rights organisations have flagged serious concerns. Multiple international organisations have noted that the proposed ordinance mandates enrollment of all data controllers and processors in a publicly accessible register, raising serious privacy and security concerns particularly for entities handling sensitive user data — risking exposure to cyberattacks, espionage, and targeted harassment, especially against the backdrop of digital threats faced by journalists, activists, and human rights defenders. The tension between security legislation and civil liberties is not unique to Bangladesh — it plays out in every democracy trying to regulate cyberspace — but in a country still navigating a political transition, the stakes are unusually high.

A Scorecard With Complications

Bangladesh's formal cybersecurity standing has improved dramatically on paper. According to the fifth edition of the Global Cyber Security Index 2024 report published by the ITU, Bangladesh scored 95 out of 100 marks and obtained full marks in three out of five categories including technical capabilities, organizational skills, and collaboration and coordination. That ranking places Bangladesh among the top 10 percent of cyber-secure countries globally — a remarkable achievement for a country that was still operating legacy systems and missing basic authentication protocols when its central bank was looted less than a decade ago.

But index rankings measure frameworks and policies, not operational resilience. The gap between institutional architecture and ground-level security practice remains a serious concern. Bangladesh has established 35 infrastructures dedicated to cybersecurity, yet future-focused strategies are still needed to address emerging threats, including the growing interconnectedness of smart devices and IoT networks. Having the infrastructure is a necessary condition for security; it is not a sufficient one.

The Geopolitical Dimension Bangladesh Cannot Ignore

Bangladesh sits at one of the most contested geopolitical intersections in Asia. India's strategic interests, China's Belt and Road investments, US Indo-Pacific strategy, and the interests of Gulf states all converge in and around the country. In this environment, cyber espionage is not merely a technical threat — it is a dimension of foreign policy.

Intelligence services from multiple major powers have active interests in Bangladesh's political trajectory, its military posture, its economic relationships, and its diplomatic positions. The 2025 DoNot APT case, in which Bangladesh appeared as a diplomatic reference point in an operation targeting European institutions, suggests that the country's international relationships are being actively monitored by actors who may not wish Dhaka well. For a country that has historically valued non-alignment and careful neutrality, this is a challenge that goes beyond firewalls and patch management.

The Chatham House 2025 Global Security Report emphasises that cyber espionage targeting diplomatic institutions is a form of asymmetric warfare, enabling states to gain intelligence without the costs of traditional espionage. The economic cost of cyber-attacks is estimated at $10.5 trillion annually globally. Bangladesh cannot insulate itself from this environment. But it can ensure that its institutions, its financial infrastructure, and its diplomatic communications are hardened against the kind of penetration that has already, once, cost it $81 million and its central bank governor his career.

What a Serious Response Looks Like

The path forward for Bangladesh involves more than legislation and index rankings. Experts have argued that Bangladesh must consider signing the Budapest Convention on Cybercrime, which would align the country with international standards, enhance its Global Cybersecurity Index ranking, ensure stronger protections for its citizens, and bolster its overall cybersecurity resilience. The convention, which now has over 60 signatories, provides a framework for international law enforcement cooperation on cybercrime — precisely the kind of cooperation that proved inadequate in the chaotic aftermath of the 2016 heist.

Beyond treaties, the human dimension requires sustained investment. In November 2024, BASIS and SICIP began a four-year program to train 3,000 cybersecurity professionals — a meaningful initiative, though analysts consistently note that the demand for qualified cybersecurity talent in Bangladesh far outpaces current supply. The same digital transformation that is driving economic growth is creating vacancies that hackers, state-sponsored or otherwise, are ready to exploit.

Bangladesh earned its place as one of the world's most resilient countries on paper. The harder work — building resilience that can withstand not just opportunistic criminals but patient, well-resourced state actors — has only just begun.

win-tk.org is a wintk publication. This article is part of our ongoing geopolitical analysis series covering security and digital governance in South Asia.